A chance to amend the GDPR?

The European Union is currently reviewing aspects of the operation of the GDPR. The consultation closes tomorrow so if you want to stick something in you better move fast.

Below is a submission I just made on behalf of various children’s groups.

For several years many children’s organizations have focused on the way the worldwide web facilitates the distribution of child sex abuse material (referred to as “child pornography” in EU Directive 2011/93). The GDPR has done nothing to halt or reduce this criminal exploitation of children. The problem continues to worsen and in no small measure this is due to the fact that the WHOIS database is not maintained as an accurate record and ICANN, the body charged with oversight of WHOIS, refuses to exert itself to improve its accuracy.

The Commission’s formal consultation paper on the GDPR, published in January 2012, made no mention either of ICANN or WHOIS. In the following four years, while the draft was being debated, discussed and amended as the measure made its way through the legislative processes and institutions of the European Union, in none of the publicly available minutes of proceedings is there any record which indicates ICANN or WHOIS were ever even mentioned by officials or politicians, or indeed anyone. This was an oversight, an opportunity missed which has had grave consequences. It is hard to imagine if any democratically accountable politicians or decision-makers had fully understood the nature of the issues surrounding ICANN and WHOIS that they would have let matters rest where they did.

ICANN is the creature of its principal funders, the Registries and Registrars. Registries and Registrars operate on low margins and high volumes. They have no financial incentive to ensure WHOIS contact data are verified as accurate, or that they relate to a genuine physical-world entity who can be contacted, swiftly if necessary, via a genuine address which is actually connected with that entity.

Verification costs money, takes time and it is therefore believed it would reduce the volume of sales and renewals. This might adversely impact the income of Registries and Registrars and therefore, ultimately, ICANN itself. For these reasons the levels of inaccuracy remain extremely high. This fuels, permits and encourages higher levels of crimes of every kind, including crimes against children. In other words, the rest of us pay the price for this avoidable neglect.

The financial and operational penalties attaching to recording and storing inaccurate WHOIS data should be substantial, irrespective of the legal domicile of the Registrar, Registry or indeed ICANN itself. This would help keep the EU’s children safe. Secondly, the limits currently placed on who may access WHOIS data and on what basis are unduly restrictive, time-consuming and expensive. Either we should revert to the status quo ante and make WHOIS fully open to anyone and everyone or some alternative arrangement is made mandatory. Such an arrangement should ensure there is rapid, free access to WHOIS data by anyone with a legitimate interest in receiving it.

The worldwide web is a public space. The use of privacy and proxy services to conceal the identity of a web site owner should only be allowed in prescribed circumstances under rules that are subject to an independent oversight mechanism.


PS: Not included in the formal submission  but the above is yet another illustration of how the under-funded under-strength children’s lobby is too often thwarted in its attempts to cut through the faff and the noise. One way or another, hopefully sooner rather than later, the GDPR must be amended to strip ICANN, Registries and Registrars of any hiding place. They are performing a public function with public safety implications and they are doing it very badly.